Ask the Experts

Ask the Experts

• If one server in a DMZ network gets attacked from outside, will the other servers be corrupted?

  An attack to a DMZ server is a big security risk. But does it necessarily mean that other servers are infected? Network security expert Mike Chapple weighs in.  Continue Reading

• What is the purpose of RFID identification?

  RFID identification can be used to keep track of everything from credit cards to livestock. But what security risks are involved?  Continue Reading

• How to secure an FTP connection

  Network security expert Mike Chapple offers three tips that enable an FTP connection without opening up an enterprise to security risks.  Continue Reading

• What are the pros and cons of shaping P2P packets?

  Packet shaping, a technique used to control computer network traffic, really isn't a security issue; it's a policy matter, says network expert Mike Chapple. Learn why, in this SearchSecurity.com Q&A.  Continue Reading

• Two-tier distributed systems vs. three-tier distributed systems

  Mike Rothman discusses the pros and cons of using two-tier distribution systems vs. thee-tier distributed systems.  Continue Reading

• DMVPN configuration: Should a firewall be between router and Internet?

  Cisco's Dynamic Multipoint VPN (DMVPN) product allows the configuration of site-to-site VPNs across WAN connections. Security expert Mike Chapple explains how a firewall fits into this particular network setup.  Continue Reading

• Is centralized logging worth all the effort?

  Network log records play an extremely important role in any well-constructed security program. Expert Mike Chapple explains how to implement a centralized logging infrastructure.  Continue Reading

• Does SOX provision email archiving?

  Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention.  Continue Reading

• How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions?

  What's the best way to comply with PCI DSS without having to create a secure IPsec tunnel with every connection to critical systems? Security management expert Mike Rothman gives his advice.  Continue Reading

• What techniques are being used to hack smart cards?

  Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.  Continue Reading

• How secure is online banking today?

  Most banks take the security of their online services seriously. In this expert Q&A, Michael Cobb explains why online banking is relatively safe -- with the exception of one particular mistake.  Continue Reading

• How should the ipseccmd.exe tool be used in Windows Vista?

  Ipseccmd is a command-line tool for displaying and managing IPsec policy and filtering rules. Expert Michael Cobb explains how to get the scripting utility to work with Vista.  Continue Reading

• How to protect DNS servers

  The DNS database is the world's largest distributed database, but unfortunately, DNS was not designed with security in mind. Application security expert Michael Cobb explains how to keep a DNS server from being hijacked.  Continue Reading

• Are encrypted Microsoft Word files safer in transit than PDF files?

  In this expert Q&A, Michael Cobb demonstrates how a misconfigured firewall makes it easy for some Microsft Word and PDF files to be sniffed in transit.  Continue Reading

• How would you define the responsibilities of a data custodian in a bank?

  Data security is incredibly important for financial institutions, and it's the data custodian's job to make sure that data is safe. Security management expert Mike Rothman explains more.  Continue Reading

• Should an intrusion detection system (IDS) be written using Java?

  There's no reason that you couldn't implement intrusion detection functionality in any higher-level programming language, Java included. Network security expert Mike Chapple, however, explains why Java may not be the best choice.  Continue Reading

• Can Trojans and other malware exploit split-tunnel VPNs?

  The beauty of split tunneling is that an enterprise doesn't need to provide the general Internet access point for a VPN user. Mike Chapple, however, also explains why split-tunnel VPNs provide a false sense of security.  Continue Reading

• Can a firewall alone effectively block port-scanning activity?

  In this expert response, Mike Chapple reveals which product is the best line of defense against port scanning threats.  Continue Reading

• Biometrics vs. biostatistics

  In this expert response, Joel Dubin examines the differences between biometrics and biostatistics.  Continue Reading

• What are the risks of connecting a Web service to an external system via SSL?

  Security pro Joel Dubin discusses the risks associated with SSL connections, and offers advice on how to avoid them.  Continue Reading

• What are the dangers of using radio frequency identification (RFID) tags?

  In this expert response, Joel Dubin discusses the dangers associated with radio frequency identification (RFID) tags, and how users can protect themselves.  Continue Reading

• Preventing employees from using a proxy to visit blocked sites

  P2P blocking can be difficult; smart blocking tools can help.  Continue Reading

• What software development practices prevent input validation attacks?

  Improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection and command injection. In this expert Q&A, Michael Cobb reviews the most important application development practices.  Continue Reading

• What can be done to block adult images in search engine results?

  What steps can be taken to ensure that children cannot access pornographic images through Google on their school's internet connection? Mike Rothman explains the options and the inherent difficulties.  Continue Reading

• A security checklist: How to build a solid DMZ

  As part of his monthly response to readers, Mike Chapple provides a list of security add-ons that no DMZ should be without.  Continue Reading

• Open source vs. commercial network access control (NAC) products

  There are now a number of free and open source network access control (NAC) products, but how do they stack up against the commercial options? Network professional Mike Chapple reviews the free alternatives, but also warns readers that a "stepping ...  Continue Reading

• What to consider before opening a port

  Recently, a reader asked network expert Mike Chapple, "What would be the security implications of opening six ports through a firewall?" Chapple reviews what questions need to be addressed before an organization exposes any network ports.  Continue Reading

• How to prevent hack attacks against smart card systems.

  What are smart cards, and how can the security of a smart card itself be maintained?  Continue Reading

• What are the pros and cons of using stand-alone authentication that is not Active Directory-based?

  Password managment tools other than Active Directory are available, though they may not be the best access control coordinators.  Continue Reading

• How can birth certificate fraud and passport fraud be prevented?

  Best practices for preventing birth certificate and passport fraud from expert Mike Rothman.  Continue Reading

• What security risks do enterprise honeypots pose?

  Honeypots can provide a great deal of insight into an environment's attack activity. However, before implementing them, there are some significant issues that require careful consideration and planning.  Continue Reading

• Does Teredo present security risks to the enterprise?

  Teredo allows internal networks to transition to IPv6, interconnecting them through their NAT devices and across the IPv4 Internet. Ed Skoudis explains why this function isn't as innocent as it seems.  Continue Reading

• How effective are phishing links that refer to FTP sites?

  The vast majority of phishing emails still include HTTP links, but there has been a recent smattering that refer to FTP sites. In this SearchSecurity.com Q&A, Ed Skoudis explains how to be ready for the malicious messages.  Continue Reading

• Should a Java Runtime Environment (JRE) be kept up to date?

  Critical security flaws are often discovered in Java Runtime Environment implementations. Unfortunately, most users don't apply any appropriate patches. Ed Skoudis reveals the security risks posed by a vulnerable JRE.  Continue Reading

• How to conduct an efficient and thorough employee access review

  In order to meet HIPAA and SOX compliance requirements, an employee access review is necessary.  Continue Reading

• Will one failed drive corrupt the rest of a RAID-5 array?

  In this expert Q&A, Michael Cobb explains when it is appropriate to keep a RAID-5 array's failed drive online.  Continue Reading

• What security issues can arise from unsynchronized system clocks?

  Network administrators don't always pay enough attention to the issues of system clock accuracy and time synchronization. Michael Cobb explains why that can lead to security problems.  Continue Reading

• What precautions should be taken if biometric data is compromised?

  In this Q&A, Joel Dubin discusses what precautions to take if corporate biometric data is stolen.  Continue Reading

• Getting started on a career in penetration testing

  In this expert response, Mike Rothman offers insight on how to start a career in penetration testing.  Continue Reading

• Is it against HIPAA regulations to display client names?

  Security management expert Mike Rothman discusses the terms of HIPAA, specifically if it is a violation of the act to publicly display client names.  Continue Reading

• What is Spycar?

  Spycar, still available for free, tests a machine against 17 daggressive spyware-like behaviors. Information security threat expert Ed Skoudis explains the tool and gives a preview of Spycar 2.  Continue Reading

• How to prevent hackers from accessing your router security password

  In this Q&A, Joel Dubin unveils the best practices for protecting a router security password from compromise.  Continue Reading

• How does identity propagation work?

  In this expert Q&A, Joel Dubin defines identity propagation and explains how it works.  Continue Reading

• What is the best way to comply with PCI DSS requirements 9 and 10?

  Security management expert Mike Rothman unveils how corporations can get compliant with PCI DSS guidelines, specifically requirements 9 and 10.  Continue Reading

• Comparing proxy servers and packet-filtering firewalls

  In the world of security, judging proxy servers and packet-filtering firewalls together is like comparing apples and oranges. But that won't stop network security expert Mike Chapple from giving such comparisons a try.  Continue Reading

• How can root and administrator privileges of different systems be delegated on one account?

  In this expert response, Joel Dubin discusses how corporations can manage "superuser" accounts by delegating root and administrator privileges.  Continue Reading

• Will FTP ever be a secure way to transfer files?

  A SearchSecurity.com member asks our network security expert Mike Chapple: Is the File Transfer Protocol a secure way to transfer files? As one of his many monthly responses to readers, Chapple reveals a better alternative to FTP.  Continue Reading

• Is it a violation of HIPAA to collect consumer Social Security numbers?

  In this expert response, Mike Rothman discusses if collecting consumer SSNs is a HIPAA violation, and unveils how to handle employees that disregard corporate policies.  Continue Reading

• What are the security risks of a corporate divestiture?

  Security management expert Mike Rothman discusses the data protection issues involved with a corporate divestiture .  Continue Reading

• Will enabling Group Policy password settings affect existing user accounts?

  In this expert response, identity management and access control expert Joel Dubin discusses the affect that Active Directory Group Policy password settings can have on user accounts.  Continue Reading

• Are challenge-response technologies the best way to stop spam?

  Challenge-response spam technology intercepts incoming emails and sends a challenge to the sender, asking him or her to confirm the message's validity. Though the antispam mechanism has gained popularity, there may be more secure alternatives, says ...  Continue Reading

• How to test an e-commerce Web site's security and privacy defenses

  Assessing the security of e-commerce sites means checking up on their associated servers, databases and applications. In this expert response, Michael Cobb explains where to start.  Continue Reading

• Is it possible to identify a fake wireless access point?

  A network's identity is easy to fake. If you're looking for proof of a valid access point, Mike Chapple reveals some secure wireless options.  Continue Reading

• Using fingerprint door locks in a network environment

  Identity management and access control expert Joel Dubin discusses fingerprint door lock technology, and unveils whether or not they can be controlled through a network.  Continue Reading

• Traditional single sign-on (SSO) products versus federated identities

  Identity management and access control expert Joel Dubin discusses the pros and cons of single sign-on products and federated identities.  Continue Reading

• Why does Skype connect to so many servers?

  Skype is a peer-to-peer service that uses a distributed network of "supernodes" to facilitate communication throughout the world. But is it safe to have so many "volunteer" connections? Mike Chapple explains.  Continue Reading

• What are the dangers of Web-based remote access systems?

  Identity management and access control expert Joel Dubin discusses the security risk associated with using Web-based remote access systems, such as LogMeIn and GoToMyPC.  Continue Reading

• Where did the biometric device come from?

  In this expert Q&A, security expert Joel Dubin discusses the history of the biometric device, more specifically the fingerprint reader and scanner.  Continue Reading

• What are the best bot detection tools?

  Today, antimalware tools can detect hundreds of different bot variants using signature and heuristic techniques, but they aren't perfect. Ed Skoudis reveals some other options.  Continue Reading

• Can fuzzing identify cross-site scripting (XSS) vulnerabilities?

  Fuzzing may find weaknesses in software, but the testing process can't find every flaw. Ed Skoudis explains what other tools are necessary when looking for cross-site scripting vulnerabilities.  Continue Reading

• What is an ideal patch management process for small businesses?

  Patch management and testing can be a time-consuming and resource-hungry task. In this expert response, Michael Cobb demonstrates how to streamline the process.  Continue Reading

• Can Snort stop application-layer attacks?

  Even though Snort can add an important layer of defense for applications, it won't fix the underlying problem of poorly written ones. Michael Cobb reveals a more efficient technique for patching up XSS and SQL injection vulnerabilities.  Continue Reading

• What types of software can help a company perform a security risk assessment?

  Security management expert Mike Rothman unveils what kind of software is on the market to help assist a company in the risk assessment process.  Continue Reading

• Is encrypting cookies a PCI DSS requirement?

  Security management expert Mike Rothman discusses whether or not storing sensitive information in the form of a cookie is considered a violation of PCI DSS.  Continue Reading

• How should sensitive customer data, such as driver's license information, be handled?

  In this Q&A, Identity management and access control expert Joel Dubin discusses how to properly protect the personal data of a driver's license.  Continue Reading

• Choosing from the top PKI products and vendors

  In this expert response, security pro Joel Dubin discusses the best ways to compare PKI products and vendors for enterprise implementation of PKI.  Continue Reading

• Does single sign-on (SSO) improve security?

  In this expert response, security pro Joel Dubin discusses the impact that enterprise single sign-on (SSO) can have on a security program.  Continue Reading

• What are the pros and cons of using keystroke dynamic-based authentication systems?

  In this SearchSecurity.com Q&A, security pro Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.  Continue Reading

• What mistakes are made when implementing enterprise IAM systems?

  In this SearchSecurity.com Q&A, security expert Joel Dubin unveils the biggest mistakes made by corporations during identity and access management system implementation, and offers advice on how to avoid them.  Continue Reading

• How to keep personally identifiable information out of access logs

  Are there products available that can hide the internal IP addresses recorded in log files? Maybe not, but in this expert Q&A, Michael Cobb reveals which tools can prevent the transfer of personally identifiable information to third parties.  Continue Reading

• What are the best laptop data encryption options?

  When it comes to protecting laptops and hard drives, there are plenty of choices. In this expert Q&A, Michael Cobb lays out some data protection options. And they're not just software-based, either.  Continue Reading

• Can the symmetric encryption algorithm for S/MIME messages be changed?

  Encryption algorithm requirements ensure a base level of interoperability among all S/MIME implementations. Email clients, however, can add additional algorithms, provided they correctly identify which algorithms a particular message uses. Expert ...  Continue Reading

• What are the proper procedures for handling a potential insider threat?

  In this SearchSecuity.com Q&A, Mike Rothman discusses how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.  Continue Reading

• How expensive are IPsec VPN setup costs?

  Although IPsec VPN tunnels tend to be fairly low maintenance, their setup and maintenance costs can quickly mount, depending on an enterprise's equipment. In this expert Q&A, Mike Chapple reveals how much enterprises can expect to pay on a new ...  Continue Reading

• Will iptables screen UDP traffic?

  UDP is a connectionless protocol that can't be screened using strict stateful inspection. However, most modern firewalls, including iptables, treat UDP in the same manner as a connection-oriented protocol. Mike Chapple explains the process in this ...  Continue Reading

• Should a router be placed between the firewall and DMZ?

  Modern firewalls have the ability to serve as a router, negating the need of another device on a network. There are exceptions to this router rule, however. Network security expert Mike Chapple explains.  Continue Reading

• Will deploying VoIP on an 802.1x network create security problems?

  Voice over IP telephony is beginning to replace traditional PBX in the enterprise. In this expert Q&A, Mike Chapple explains how the popular VoIP technology has its own unique security implications.  Continue Reading

• How does SSL 'sit' between the network layer and application layer?

  SSL is neither a network layer protocol nor an application layer protocol. In this SearchSecurity.com Q&A, Michael Cobb explains how SSL "sits" between both layers.  Continue Reading

• How secure is the Windows registry?

  In this SearchSecurity.com Q&A, platform security expert Michael Cobb explains the weaknesses of the Windows registry and explores other OS alternatives.  Continue Reading

• Does SMS spoofing require as much effort as email spoofing?

  SMS text message spoofing demands a little more technical knowledge than email spoofing. But not much, says information security threat expert Ed Skoudis. In this Q&A, Skoudis explains how that technical know-how has now been embedded in easy-to-use...  Continue Reading

• Will log-in form data posted to an SSL page always be encrypted?

  If a Web page login form is not SSL-protected, but the login data is posted to an SSL page, is the information encrypted and safe? Not at all, says Michael Cobb in this SearchSecurity.com Q&A.  Continue Reading

• Should third-party software tools be used to customize applications?

  Many features and functions required for today's network-ready applications can be purchased at a fraction of the cost that it would take to build them independently. But are they safe enough? Application security expert Michael Cobb explains.  Continue Reading

• What risks are associated with biometric data, and how can they be avoided?

  In this SearchSecurity.com Q&A, security expert Joel Dubin examines the pros and cons of implementing biometric data and explains how to avoid risks associated with the technology.  Continue Reading

• Are one-time password tokens susceptible to man-in-the-middle attacks?

  In this SearchSecurity.com Q&A, security pro Joel Dubin discusses the vulnerabilities of one-time password (OTP) token authentication, including man-in-the-middle attacks.  Continue Reading

• What evaluation criteria should be used when buying a firewall?

  Choosing a firewall for the enterprise isn't always easy. In this expert Q&A, Mike Chapple provides three important points to consider before deciding on a product.  Continue Reading

• Is the Storm worm virus still a serious threat?

  Today, attackers continue to have success with the Storm worm and its many variations, using the malware to strengthen their nasty botnets. In this SearchSecurity.com Q&A, expert Ed Skoudis explains why these rather run-of-the-mill attacks are still...  Continue Reading

• What are the risks of turning off pre-boot authentication?

  In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin discusses the dangers associated with turning off pre-boot authentication (PBA)?  Continue Reading

• What are the pros and cons of outsourcing email security services?

  In this SearchSecurity.com Q&A, application security expert Michael Cobb explains whether it's right for your organization to hand off email security services to another provider.  Continue Reading

• How to select a penetration tester

  Penetration testing tools can simulate attacks and help organizations get an idea of their security vulnerabilities. In this SearchSecurity.com Q&A, platform security expert Michael Cobb explains what you should be getting out of your penetration ...  Continue Reading

• What is the best organizational model for an IT security staff?

  In this SearchSecurity.com Q&A, security management expert Mike Rothman unveils the essential policies, procedures and job functions that contribute to the successful functionality of an IT security staff.  Continue Reading

• What are the pros and cons of using an email encryption gateway?

  In this SearchSecurity.com Q&A, security management expert Mike Rothman discusses the pros and cons of using an email encryption gateway to prevent data leakage.  Continue Reading

• What are the potential risks of giving remote access to a third-party service provider?

  In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin discusses the potential risks involved with providing remote access to a third-party service provider.  Continue Reading

• Is the use of digital certificates with passwords considered two-factor authentication?

  In this SearchSecurity.com Q&A identity management and access control expert Joel Dubin identifies the factors that contribute to two-factor authentication, such as smart cards and digital certificates.  Continue Reading

• How to test an enterprise single sign-on login

  In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin examines the best ways to test an enterprise single sign-on (SSO) login.  Continue Reading

• Creating a personal digital certificate

  In this SearchSecurity.com expert Q&A, identity management and access control pro Joel Dubin discusses the pros and cons associated with creating a personal digital certificate.  Continue Reading

• What should be done with a RAID-5 array's failed drives?

  Even one failed drive in a RAID-5 array can present an enterprise with serious data protection concerns. In this SearchSecurity.com Q&A, expert Michael Cobb explains which policies can protect and recover RAID-5 data.  Continue Reading

• What are the drawbacks to application firewalls?

  Application-layer firewalls examine ingoing and outgoing traffic more carefully than traditional packet-filtering firewalls, so why are some holding back on deployment? In this SearchSecurity.com Q&A, Michael Cobb reveals some cost and performance ...  Continue Reading

• How secure are document scanners and other 'scan to email' appliances?

  Copiers and document scanners have always posed challenges for information security teams. In this SearchSecurity.com Q&A, Michael Cobb reveals how the right policies can control the use (and abuse) of these devices.  Continue Reading

• What are the alternatives to RC4 and symmetric cryptography systems?

  In this SearchSecurity.com Q&A, network security expert Mike Chapple explains how RC4 encryption stacks up against public key cryptography.  Continue Reading

• What policies will prevent employees from leaking sensitive data?

  In this SearchSecurity.com Q&A, security management expert Mike Rothman outlines the necessary policies and procedures that corporations should enforce to protect customer information, prevent data leakage and comply with employee privacy rights.  Continue Reading